[Bro] troubleshooting bro memory usage?

Seth Hall seth at icir.org
Sat Aug 10 08:19:40 PDT 2013

On Aug 9, 2013, at 3:30 PM, aaron gee-clough <lists at g-clef.net> wrote:

> Is there a way to disable this caching? (or have I mis-understood what 
> bro's doing with DNS?)

That's unrelated.  It's referring to DNS lookup requests happening at script land.  We ran into a case once where someone had written a script that did two reverse hostname lookups for every connection that was established (don't do this, it's *really* not a good idea).  Although I should point out that their Bro cluster was running quite well even in the face of that, but I don't think their DNS resolver was very happy about it. :)

In general, monitoring in front of a DNS resolver should be just fine.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130810/1fabeadc/attachment.bin 

More information about the Bro mailing list